The Administrator Accounts Security Planning GuideThis guide is designed to be an indispensable resource when organizations plan their strategy to secure administrator-level accounts in Microsoft Windows NT–based operating systems such as Windows Server 2003 and Windows XP. It addresses the problem of intruders who acquire administrator account credentials and then use them to compromise the network. The main goal of this guide is to provide prescriptive guidance in terms of the steps an organization can take to secure local and domain-based administrator-level accounts and groups.

The Secure Access Using Smart Cards Planning GuideThis guide is designed to help IT security professionals understand how to plan and implement secure access using smart cards for administrator accounts and remote access user accounts. It enables the reader to understand how to secure access using smart cards and examines the issues and challenges.

The Security Monitoring and Attack Detection Planning GuideThis guide is designed to help IT security professionals understand how to use the security event logs in Microsoft Windows as the basis for monitoring security and detecting attacks on a network. The guide helps the reader to identify relevant security events and interpret sequences of events that might indicate that an attack is in progress.

The Services and Service Accounts Security Planning GuideThis guide is designed to be an important resource when organizations plan their strategy to run services more securely under the Microsoft® Windows Server 2003™ and Windows® XP operating systems. The guide addresses the common problem of Windows services that are set to run with the highest possible privileges, which an attacker could compromise to gain full and unrestricted access to the computer, domain, or even to the entire forest. It describes ways to identify services that can run with lesser privileges and explains how to downgrade those privileges methodically. This guide can help organizations assess their existing services infrastructure and make some important planning decisions in relation to future service deployments.

Implementing Quarantine Services with Microsoft Virtual Private Network Planning GuideThis guideis designed to help IT security professionals understand how to plan and implement Virtual Private Network (VPN) Quarantine services featured in Windows Server 2003 Service Pack 1. The guide enables the reader to understand the approaches to VPN quarantine and examines the issues faced.

Earlier this year we employees heard about this very cool toolkit that was in the works. It’s designed to help you lock-down and support computers that are running as shared resources. Here are the details from the tool’s web page:

Overview

Shared computers are commonly found in schools, libraries, Internet and gaming cafés, community centers, and other locations. Often, non-technical personnel are asked to manage shared computers in addition to their primary responsibilities. Managing shared computers can be difficult, time-consuming, and expensive. Without restrictions, users can change the desktop appearance, reconfigure system settings, and introduce spyware, viruses, and other harmful programs. Repairing damaged shared computers costs significant time and effort.

User privacy is also an issue. Shared computers often use shared accounts that make Internet history, saved documents, and cached Web pages available to subsequent users.

The Microsoft Shared Computer Toolkit for Windows XP provides a simple and effective way to defend shared computers from untrusted users and malicious software, safeguard system resources, and enhance and simplify the user experience. The Toolkit runs on genuine copies of Windows XP Professional, Windows XP Home Edition, and Windows XP Tablet PC Edition.

Are you supporting shared computers? If so, please share your experiences as a comment here. We’d love to hear what you’ve done, or if you’ve found this toolset useful.

As I mentioned in our briefing, both Intel and AMD have processors that support Hardware-level DEP.

Intel calls the technology their “Execute Disable Bit”. Here is the page that describes their support, with links to their products that support it.

This press release from AMD describes their support also. DEP support is currenly only in their A64's and the Socket 754 Sempron lines.

Q: In the SQL Server 2005 Management Studio, can I work with logs on remote SQL Servers?

A: Yes. The SQL Server logs tool is found under the Management function for the database server you are connected to in the Object Explorer. That server can be local OR remote.

Q: Are there any new “process throttling” capabilities? [Other database products] have a way to watch for processes that run out-of-control…taking up too many resource (CPU, Memory) from the rest of the system. I don’t see a way to do it in 2000 and I’m hoping that 2005 has a solution.

A: UPDATE: I received the following response in the TechNet Discussion Groups:

Hi

sp_configure's 'query governor cost limit' can limit the time a quyery runs.

In terms of using other resources, they are ungoverned, even with SQL Server 2005.

I have never been one to go for conspiracy theories. I don’t think that there’s some central organization that is setting gasoline prices at artificially high levels, or running the world’s economy because they are under the direction of aliens who want to maintain the appearance of all of us being able to determine our own fates. However, recent events are causing me to suspect that certain industries may in fact LIE to their customers in order to save a few $’s.

Here’s my story. Monday, two days ago, found me traveling to Peoria, IL from Minneapolis. I have one stop in Chicago. I’m traveling on [Airline Name Deleted] Airlines.

Anyway, the flight from Minneapolis to Chicago was just fine. No concerns. So now I’m waiting my flight to Peoria. “Hmm… I don’t see a plane out there.”… not usually a good sign. But soon an announcement of my plane’s delayed arrival from somewhere else leads me to believe that there is hope.

However… many minutes later, after the plane has emptied, there is announcement that they are “working on a mechanical issue” and that they “would let [us] know in 30 minutes what the status is.” Uh oh…

30 minutes pass. True to her word, here’s the announcement. “We’re sorry, but the flight has been cancelled. The rest of our flights to Peoria are pretty full today. Come to the desk and we’ll give you some options.”

The options were: Risk standby on [Truly Aggravating] Airlines or some other airline, take a bus voucher for a 3–3/4 hour ride, or let them put me in a hotel for the evening and take a flight tomorrow.

Hmm… well, the flight tomorrow wasn’t an option. Tomorrow is why I’m going to Peoria. My briefing attendees won’t sit there waiting for me to arrive on the morning flight. And it was being said that the standby option probably wasn’t going to work because those flights had been sold full, too. So I guess that will be one bus voucher for me. Thanks.

“Oh, and sir… the next bus leaves in 10 minutes.. so I don’t think you’ll make it, but you can try. Go and collect your bag at carousel ten.”

Cool. Go get my bag. I walk briskly to carousel 10 (which is a LONG walk. Any walk in O’Hare is a long walk.) C’mon bag!

So I waited. And watched. And counted the minutes. And watched the 3:00pm bus departure time come and go… but still no bag. Frustrated, as you can imagine, I went to the luggage claim desk. The “friendly” woman there informed me that my bag is on it’s way to Peoria on one of the later, “full” flights, so I should get it from the Peoria airport when I get there.

Anyway… I go to the bus terminal. Yes indeed, I missed the 3:00 bus by 10 minutes. And I found out that the next one departs at 7:00pm! <sigh> well… I got nothing but time (and a heavy laptop bag), so I head back to the terminal figuring, “I’ve got the bus ticket. There’s no harm in going to the [Stupid] Airlines ticket counter and asking if there were please-oh-please some other option.”

One the way to the ticket agent, I decided that I might just double-check the baggage-claim-carousel-from-hell to see if my bag might have suddenly appeared. Guess what?! A miracle! My bag was there, going ‘round in circles! Lesson learned: Never trust what [*@!*$#!] Airlines employees tell you – especially when their stories don’t match.

Somewhat relieved that I had at least claimed my week’s belongings, I head to the ticket counter and explain my exasperation. (I was really polite. Seriously. More polite than they deserved, which is ALWAYS a good thing.) Unfortunately my exasperation or even my most polite smile couldn’t coax all the clickety-clacking on her circa 1976 keyboard to find me a flight to Peoria this evening, on any airline. I said, “Well.. then can you get me a one-way rental car?”

“Nope. We don’t do rental cars.”

[smiling, mostly] “Can I have a second opinion?”

“I’ll get the supervisor.”

“Great. You to that.”

Several minutes pass… and finally an obviously overworked supervisor du jour comes over. “How can I be of assistance?”

<gasp> “Okaaaaay…. What do you recommend I do that won’t mean I have to sit around here for four hours and then another three-and-a-half hours on a bus?”

“I can give you this $5 voucher for a snack.”

<bigger gasp> “Um… (still smiling politely, but feel like I’m talking through gritted teeth..) Unless you know of a cab driver who will accept a $5 snack voucher in exchange for a trip to Peoria, this is not going to help much.”

“I’m sorry sir. That’s all I can do. Well… actually, I can also give you this $10 voucher for dinner. But that’s really all I can do.”

“ummm… <sigh> I guess I’m traveling by bus then. Thank you.” (See? I am way too polite. Thinking about it later, I’m kicking myself that I thanked them for so little.)

So off I go, big bag and heavy laptop bag and all, back over to the bus terminal. On the way I use my “$5” to buy $4.85 worth of coffee and bottled water at a Starbuck’s kiosk. (“Can’t give you change, Mr. Customer Sir. Not for a voucher.”) And then at the bus terminal I use my $10 to buy about $8.50 worth of Uno’s pizza and a Snapple. (“Can’t give you change, mack. Not for a voucher.”)

Well…to cut to the end of this Monday saga; I catch the bus. And because I’m going to the Peoria airport on a voucher, I have to be the very last stop. (“Gotta do the regular route first, buddy. You’ve only got a voucher.”) Rental car folks kept their word, though… they were there waiting for me to arrive, even after their closing time. Big points for Avis. They do “try harder” when it means some nice lady waits around an extra half hour late in the evening just for little ol’ me. Very nice!

Is that the end of my story? NO! Tuesday night I leave our event (Had a great time! Thanks again, Peoria!) and head to the airport. Check the bag. Head to the gate. Board says it’s still on time. Cool. Head to the wash room. And just as I’m washing my hands, I hear the announcement. “Flight #xyz from arriving from Chicago has been cancelled. Because of this, flight #abc, the flight that Kevin A. Remde is on, has been cancelled.”

I’m sure many people in the terminal heard the echoed “NOOOoooooooo!” emanating from the Men’s room.

Unbelievable. So… back to the ticket counter, where they put me on a later flight on yet-another-but-obviously-more-reliable airline. Fortunately, and thankfully, I actually SEE them hand my bag from one company to the other… and this new flight to Chicago goes just wonderfully – made better by the fact that one of my coworkers was also on the flight, so we each had someone to talk to.

—

So where does this leave me? I’m sitting here writing this, on Wednesday afternoon, at O’Hare gate G7 (oooh.. that may have given away the Airline. <heh>), having had two days prior of cancelled flights. I’m waiting for a plane to arrive at the gate that will take me to Madison, Wisconsin. It’s not here yet. Hmmm…

And as you can imagine, I’m wondering… will it happen again? Is it true that “bad things come in 3’s”, or will it be “the third time’s the charm”? And did [really frustrating] Airlines make money on Monday when they cancelled my flight, because it only cost them $45 for a $30 bus ticket and $15 (really $13.35)

So I’m also wondering: Maybe they lied. <gasp!> Conspiracy! Could it be?! Maybe “mechanical problems” sometimes is just code for “in this case we think we can save some big bucks by making you all make other arrangements and we’re willing to risk pissing you off because we know right now you have no other options so just shut up and take this voucher [forced smile]”.

There is something I’m not wondering, however. In fact, I’m absolutely certain… Unless I get some satisfaction from them in the form of at LEAST a letter of apology, I will NOT be traveling on [Poopy-Pants] Airlines ever again if I can help it.

Sorry for the delay. I enjoyed a couple of days in your lovely state, taking a tour out of Seward, seeing lots of glaciers and amazing wildlife. I know it’s all just the usual terrain there to you.. but to a Minnesota boy, it’s simply awesome!

So after an all-too-brief stop off at home on Sunday, it was back on the road for me. (Peoria – your Q&A is next up!)

Here are the questions (with answers) I jotted down at our TechNet Briefing in Anchorage.

Also, for your convenience once again, here is the link to my blog post containing the link to that resource document I handed out.

—

Q: Do the 64 bit processors support DEP? What about the 64 bit versions of Windows?

Using Windows Small Business Server 2003 Transition Pack you can upgrade your computer running Windows Small Business Server 2003 to Windows Server 2003, Standard Edition, and the standard versions of the server applications. After performing this migration, you will be able to do the following:

Transfer the operations master role to another domain controller.

Establish trust relationships to and from another domain, or add child domains to your existing Active Directory forest.

Move server applications to another server. After the migration, you can move the server applications off of the original server. You might choose to move one or more applications to a separate server to improve the performance of the application. For example, if you are going to add more than 75 users, moving Exchange Server 2003 to a different server can help that application to perform better with the new user load.

Enable Terminal Server.

Increase your maximum number of users.

Increase the maximum number of processors supported from two to four.

After you have migrated your server:

You will still be able to use the Windows Small Business Server tools; however, they will no longer be supported and you will not be able to reinstall or remove the tools.

You will no longer be able to run Windows Small Business Server 2003 Setup to modify (add, remove, re-install) the server applications.

Your business will be licensed for one copy of Windows Server 2003, Standard Edition, and the standard versions of the server applications.

You will have five client access licenses (CALs) for each server application. If you have more than five users, you must purchase additional CALs for each of the individual server products. For information about purchasing additional CALs, see the individual server product pages at the Microsoft Web site(http://www.microsoft.com/servers/howtobuy/default.asp).

Not sure if you should? Well.. here’s what we’re covering this time around…

Microsoft Windows Server 2003 Is EvolvingWith the recent release of Windows Server 2003 SP1, now is the best time to see the benefits of these significant updates.Are you prepared for the changes this upgrade will have on your network system?This is a great opportunity to see how SP1 may change your entire network infrastructure for the better.Join our experts at this technical briefing.

Microsoft SQL Server 2005 is comingIt has been 5 years since a major Microsoft SQL Server release. In a technology timeline, that could be considered a lifetime!Attending this session is your first step in preparing for a change that could give you a technical knowledge advantage over all the other IT Professionals working with corporate data.Get prepared for the change coming soon.

Click the links above to register, or visit the TechNet Briefings site (www.technetbriefings.com) for session topics and links to registration and additional resources.

On Monday, June 6th, Chris Henley and I were working in the Server Infrastructure area of the Hands-on-Labs. We volunteered to fix a lab that was broken (HOL163), so I thought I’d document our efforts on video.

IT Governance Institute (ITGI): Control Objectives for Information and Related Technology (CobiT), which includes the IT Governance Maturity Model. This document can be purchased from http://www.itgi.org

Answer the following 17 questions and score each answer on a scale of 0 to 5 as illustrated in the table following the set of questions. These questions and the score levels help to determine the overall maturity level of your organization.

Information security policies and procedures are clear, concise, well documented, and complete.

Policies and procedures for securing third-party access to business data are well documented. For example, offshore vendors performing application development for an internal business tool have sufficient access to network resources to effectively collaborate and complete their work, but they have only the minimum amount of access that they need.

An inventory of IT assets such as hardware, software, and data repositories is accurate and up-to-date.

Suitable controls are in place to protect business data from unauthorized access by both outsiders and insiders.

Effective user-awareness programs are in place, such as training and newsletters regarding information security policies and practices.

Physical access to the computer network and other information technology assets is restricted through the use of effective controls.

New computer systems are provisioned following organizational security standards in a standardized manner using automated tools such as disk imaging or build scripts.

An effective update management system is able to automatically deliver software updates from most vendors to the vast majority of the computer systems in the organization.

An incident response team has been created and has developed and documented effective processes for dealing with and tracking security incidents. All incidents are investigated until the root cause is identified and any problems are resolved.

The organization has a comprehensive antivirus program that includes multiple layers of defense, user-awareness training, and effective processes for responding to virus outbreaks.

User-provisioning processes are well documented and at least partially automated so that new employees, vendors, and partners can be granted an appropriate level of access to the organization’s information systems in a timely manner. These processes should also support the timely disabling and deletion of user accounts that are no longer needed.

Computer and network access is controlled through user authentication and authorization, restrictive access control lists on data, and proactive monitoring for policy violations.

Application developers are provided with education and possess a clear awareness of security standards for software creation and quality assurance testing of code.

Business continuity and business continuity programs are clearly defined, well documented, and periodically tested through simulations and drills.

Effective programs are underway for ensuring that all staff perform their work tasks in a manner compliant with legal requirements.

Third-party reviews and audits are used regularly to verify compliance with standard practices for securing business assets.

Answer and score each of the 17 questions using one of these values from 0 to 5:

0 Non-existent

Policy (or process) is not documented, and previously the organization was unaware of the business risk associated with this risk management.

1 Ad hoc

It is clear that some members of the organization have concluded that risk management has value. However, risk management efforts are performed in an ad hoc manner. There are no documented processes or policies, and the process is not fully repeatable. Risk management projects seem chaotic and uncoordinated, and results are not measured and audited.

2 Repeatable

There is awareness of risk management throughout the organization. The risk management process is repeatable yet immature. The process is not fully documented, but the activities occur on a regular basis, and the organization is working toward establishing a comprehensive risk management process.

3 Defined process

The organization has made a formal decision to adopt risk management wholeheartedly to drive its information security program. A baseline process has been developed that includes clearly defined goals with documented processes for achieving and measuring success. The organization is actively implementing its documented risk management process.

4 Managed

There is a thorough understanding of risk management at all levels of the organization. Risk management procedures exist, the process is well defined, awareness is broadly communicated, rigorous training is available, and some initial forms of measurement are in place to determine effectiveness. There is some use of technological tools to help with risk management, but many—if not most—risk assessment, control identification, and cost-benefit analysis procedures are manual.

5 Optimized

The organization has committed significant resources to security risk management, and staff members are looking toward the future to ascertain what the issues and solutions will be in the months and years ahead. The risk management process is well understood and significantly automated through the use of tools (either developed in-house or acquired from independent software vendors).

Scoring your Organization’s SRM Maturity Results:

Calculate your organization’s score by adding up the score level of each statement. The following table provides information for each score range:

51 or above

Your organization is well prepared to introduce and use the Microsoft security risk management process to its fullest extent.

34–50

Your organization has taken many significant steps to control security risks and is ready to gradually introduce the security risk management process. You should consider rolling out the process to a few business units over a few months before exposing the entire organization to its benefits.

33 or below

Consider starting the security risk management process slowly by creating the core security risk management team and applying the process to a single business unit for the first few months. After demonstrating the value of the process, expand it to two or three additional business units. As the process is accepted as demonstrating value, continue adding business units.

Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP is a reference guide for the major security settings and features included with Windows Server 2003 and Windows XP.It is available at http://go.microsoft.com/fwlink/?LinkId=15159

“Okay… Windows Updates does my OS, and then I have to go to the Office page to scan for Office updates… and then I have to go to the Exchange page to find updates for my Exchange Server… and…”

Yeah… It’s a pain. But your crys have been heard. Finally, the long-awaited Microsoft Update is live!

“Now available: Microsoft Updateconsolidatesupdates provided by Windows Update and Office Update into one location and enables you to choose automatic delivery and installation of high-priority updates.”

Here I am on the plane ride home. And judging from all the TechEd bags, VB.NET magazines being read, and funny ‘No, I will not fix your computer’ t-shirts, this is a plane that’s chock-full o’ geeks. And most of these geeks are only on their first leg home. Not me, though… one of the benefits of living in the airline’s hub city. One hop, and yer home.

I wonder if the rest of the TechEd attendees had as much trouble closing their suitcases as I did. I tried to keep the swag collection to a minimum this year, and thought I had “packed” sufficient “space”, but it’s always the same story.

I could sleep now, because I’m pretty tired; But I have a webcast to deliver on Monday and many family activities this weekend that I’d much rather be doing while I’m home. And I can work, only because I was bumped to first class. Yeah baby. It does have it’s priviledges. Like being able to open your laptop enough to see the screen. Mostly.

I’m seated here in seat 4B, drinking black coffee (Yep.. in first class you get FREE REFILLS!) and I’m preparing notes for the webcast on “Security Risk Management”. As I returned to my seat from a recent stop at the lavatory (In the first class lav, you can use as many paper towels as you want!) I noticed Steve Riley snoozing in 2C. Too bad I wasn’t sitting next to him, or I could be asking his input. Of course, I don’t doubt that he already had input into this official Microsoft Security content I’m using. …but little does he know that I’m also going to be stealing.. er… borrowing some of the funny-yet-effective pictures he used in his TechEd Simulcast webcast earlier this week.

And was that Jesper Johansson (sp?) snoozing next to him, with his head on Steve’s shoulder? Naw… but that sure is a funny thought.

Hey.. just now I even took two of those little bags of pretzels, and our flight attendant didn’t say a word about it! In coach you’d get your hand slapped.. but I guess in first class you get by with mearly a disapproving glare. Ah… the life of Riley. (Yes… Steve too).

So, what’s next for Kevin?

After the family weekend and the webcast, I’m getting on a plane yet again – this time to Anchorage, Alaska. Yep. I’m filling in for Michael J. Murphy, who isn’t able to make it. And I had “backup duty” this week. So, if you’re in the Anchorage area, I’ll see you this coming Wednesday! And Thursday and Friday I expect to do some sightseeing. It’s been awhile since I’ve seen a glacier up-close-and-personal. So, if you’re a wild woodland creature in the area, I’ll see you this coming Thursday or Friday!

It’s with mixed emotions that we reach this day. We’ve been learning a lot, partying hard, meeting people, and genuinely enjoying ourselves. That’s the upside. The downside, of course, is that we’re away from our families for a long time. That.. to put it bluntly.. sucks. So it’s good to be going home soon.

But we did have fun last night, didn’t we? Yeah! Universal Studios!

That was fun. I went from attraction to attraction with coworker Shawn Travers and boss John Weston. We got to see most of the good ones. The food was good, too. Didn’t get much time to see the live music or sample the libations (just as well), but really enjoyed the whole evening. Outstanding, as always.

Afterwards John Baker and I met up with our one-time webcast producer and now webcast coordinator Keith Mazzuco for a couple of Coronas. Unfortunately, the really fun place we had been to twice before during the week turns out to be pretty boring on a Thursday.

So now I’m back in my room. It’s time to go to bed. Tomorrow I’ll attend one of the SQL sessions, and then it’s back to working in the Hands-on-Labs and another shift on the Microsoft Across America “Mobile Experience”. Then, since I’m not flying home ‘til Saturday, I think I’ll find something fun to do. Maybe Pleasure Island. I love live music.

Last night’s “Influencer Appreciation Party” was fun… but it might have been more fun if they’d kept the Karoake idea going. My opinion: More people were going to enjoy that than the dance mix. And besides… I’m Kevin!

Yes.. that is ME! I was next up to sing, and then the DJ was told to give the singing a break and just play some dance music… so my name and selection were left up there for an hour-and-a-half while I waited. Eventually he changed that screen… but it was rather disappointing watching very FEW people dance, and also knowing that there were a long line of willing (albeit questionably able) singers available for some good fun.

Oh well.

Today is more lab work. Hopefully they have put back up that HOL163 (SRV10) so I can get it working properly. Also, I want to do some of the SQL labs. I hear they are excellent.